QuimaRAT: A New Rent-a-Malware Kit That Hits Windows, Mac and Linux

Researchers at LevelBlue say the Java-based remote access tool is being sold as a subscription, starting at $150 a month, and works across all three major desktop systems.

ThreatVectr Newsdesk· 3 min read
Full-frame overhead editorial photograph of three different laptops arranged side by side on a dark desk, one Windows machine, one silver macOS-style laptop, on
Share

Key points

  • Security firm LevelBlue has identified a new piece of malware called QuimaRAT that runs on Windows, macOS and Linux computers.
  • QuimaRAT is a remote access trojan, meaning software that lets a criminal secretly control someone else's computer over the internet.
  • The tool is rented out to criminals for between $150 for one month and $1,200 for lifetime access.
  • It is written in Java, a programming language that runs almost anywhere, which is why one build can attack three different operating systems.

A new piece of criminal software is doing the rounds, and it does not care what kind of computer you use.

Researchers at cybersecurity firm LevelBlue have named it QuimaRAT. It is a remote access trojan, which is a fancy way of saying a hidden program that gives a criminal a live connection into your machine, as if they were sitting at your keyboard.

The unusual part is the reach. Most desktop malware is built for Windows and ignores the rest. QuimaRAT runs on Windows, macOS and Linux from the same codebase.

Why does this one work on Macs and Linux too?

Because it is written in Java, a decades-old programming language designed to run the same code on almost any device. That design choice means the criminals only have to build the tool once. Whatever operating system the victim is using, the malware finds a way to do its job.

In practice, this lowers the bar. A buyer does not need three different tools for three different targets. One subscription covers the lot.

How is it being sold?

As a service, like Netflix, but for crime. This model is known in the industry as malware-as-a-service, or MaaS. Instead of writing their own hacking tools, aspiring criminals rent finished kits from someone else and point them at victims.

According to LevelBlue, first flagged by The Hacker News, QuimaRAT's pricing runs from $150 for a single month up to $1,200 for lifetime access, with a middle tier around $300. That is cheap. A serious enterprise security product costs many times more per seat.

The failure mode here is predictable. Low price plus cross-platform reach plus a ready-made control panel equals a lot of amateurs suddenly holding a working remote access tool.

What can QuimaRAT actually do?

Once it is on a machine, a remote access trojan of this class typically lets the operator watch what the user is doing, copy files, capture passwords as they are typed, switch on the webcam or microphone, and drop further malicious software onto the computer. LevelBlue's analysis places QuimaRAT in that same bracket.

It is, in short, full remote control of your device without your knowledge.

How does it get onto a computer in the first place?

The usual way. Malicious email attachments, fake installers on dodgy download sites, and cracked software are the standard delivery routes for this category of tool. Nothing exotic is required. The victim clicks something they should not have clicked, and the Java payload runs.

One thing the post-mortem will say, again, is that Java was already installed and no one was watching what it did.

What should ordinary people do?

Not much different from usual, but do it properly. Do not run Java-based files from email. Do not install cracked apps. Keep your operating system and browser updated. If you have a Mac or a Linux machine and have long assumed malware is a Windows problem, stop assuming that.

For IT teams, the operational takeaway is simple: your endpoint detection needs to actually cover the Macs and Linux boxes, not just the Windows fleet.

© 2026 Threat Vectr